ADD THE TRIPWIRE SECURITY COMPONENT

Setup Tripwire (ref: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html)
Edit the /etc/tripwire/twcfg.txt file to reflect the following:

EDITOR =/usr/bin/pico

Edit the /etc/tripwire/twpol.txt file to reflect the following:

(emailto = "me@me.com")
{
! /proc;
/ -> $(ReadOnly);
! /dev;
/boot -> $(ReadOnly);
/tmp -> $(ReadOnly);
/var/log -> $(ReadOnly);
/var/log/httpd/access_log -> l;
/var/log/httpd/error_log -> l;
}

Install/Setup (only once):

/etc/tripwire/twinstall.sh
site key: web site key
local key: web local key

Initialize:

/usr/sbin/tripwire --init

Check:
/usr/sbin/tripwire --check

View logs:
/usr/sbin/twprint -m r --twrfile /var/lib/tripwire/report/.twr | less

Remove files unneeded by default setup
pico /etc/tripwire/twpol.txt

Generate new policy file:
/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

Initialize again:
/usr/sbin/tripwire --init

Cron will check daily
View logs:
/usr/sbin/twprint -m r --twrfile /var/lib/tripwire/report/.twr | less
Update the database:
/usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/.twr
Customize.

No related posts.